PS3 finally hacked?

[+Audioboxer Subscriber²]

Whenever you insert a disc (bluray one that is) the ps3 drive will look at a special area of the disc called the Pic Zone (the BD ROM Mark is actually used in movie discs but not in game unlike what I first thought).

The PIC Zone which stands for Permanent Information & Control data Zone contains informations/data related to the disc's authentication which is done by the playstation 3 bluray drive. This area cannot easily be dumped (you'd pretty much need a bluray drive with a hacked firmware) and of course that specific area cannot be burned on any kind of discs or with any kind of burners commercially available.

There is no absolute certainty to what data the PIC zone actually contains, I initially thought that Sony would use a public/private cryptography cypher to authenticate the discs but that is quite unlikely considering the limited resources of the drive controller. There isn't any kind of hard cryptographic layer on the discs as I first expected, so the security on the discs themselves is much less invasive as I initially thought. Yet the fact that the PIC zone can't be rewitten without any kind of special equipment (basically a bluray discs factory) does its job well when it comes to preventing backups.

The authentication procedure itself is done through the use of a per bluray drive key pair, one being located on the drive controller itself while the other is stored encrypted in the playstation 3's EID area located on NAND. This key is also used while updating the drive which firmware's will be physically re-encrypted using that very same key and stored that way. As such you cannot swap a drive controller board from one ps3 to another, at least on earlier "fat" models. I have no idea if the drives are still paired with unique keys on the newer "slim" systems, though I do not know why it would be done another way. This also means that physically dumping the drive's firmware would lead nowhere with it being stored in an encrypted form. The only way to get a plain version of it would be to dump the drive controller's ram at runtime. Beside although I am not entirely sure about this, it is very unlikely that a command exists to read the firmware from the drive, should it exist, the dumped binary would still be encrypted, thus connecting the drive to a computer (the ps3 slim bluray drive uses a regular SATA or PATA bus depending on the model) literally leads nowhere..

Finally once the authentication procedure is done, there is another protection which happens to be a per sector software cryptographic layer, which I have the algorithm for (but which I can't share because I wasn't the one that initially reversed it) that cryptographic layer is the very same used on playstation 3 master discs as on retail ones with the exception of the key being used, masterdiscs are identified through their special masterdisc sectors locted at offset 0x7000 (sector 14) on the disc. The encryption itself is done in sector ranges rather than files, where the key for each sector is defined by the address of the said sector in correlation with an initial static key, on retail discs, there is a per disc key located at offset 0x800 on the disc with a header composed of "Playstation3" and the discs' title id such as "PlayStation3 BCES-00141" I assume that this key is in encrypted format and likely decrypted through lv2 by appldr.

The software cryptographic layer is done in such way that the disc sectors will be transparently decrypted so long as you are running a game or a playstation 3 application, this explains how easy it is to dump a disc's content whenever you can run playstation3 code on top of lv2.

The EBOOT.BIN as well as other self and sprx binaries themselves aren't tied to the disc's encryption, however their metadata may contain specific flags (in fact the ones on game discs always do) that will prevent them from being loaded from anywhere other than an authenticated disc (masterdiscs != authenticated discs) This would explain why someone on a debug console for instance can't just grab the games' binaries, put them on a masterdisc and hope for the game to just play. Other flags are being involved such as a "no debug" flag that will pretty much prevent you from loading your binary into sony's debugger.

Because the binaries on the discs still have to be signed as they are verified and decrypted by appldr, in the event that you would somewhat trick the drive into thinking that your disc is a genuine playstation 3 disc, you could still not have your own fself ("fake" secure elf, complied with Sony's sdk) in there and get it to run, thus this would never lead to homebrews no matter what some clueless people may claim about it.

Source: http://lan.st/showthread.php?t=1722

[t0mbi]

Any more news on the dumping process of the PSJB dongle?

[DPyro]

http://www.x3jailbreak.com/

[CentralDogma]

Source: http://lan.st/showthread.php?t=1722

I assume he's talking about hacking drive firmwares and not the PS Jailbreak?

Just FYI to everyone: The thread mentioned in to OP has been a great source of news, but I've been skipping most of the comments in it except for the ones with links in them.

Also these blogs have been relatively well updated by PS3 developers:

• http://streetskaterfu.blogspot.com/
  
• http://twitter.com/richdevx
  
• http://twitter.com/Mathieulh
  

[Tech Star]

http://www.x3jailbreak.com/

That was fast. :hmmm:

[t0mbi]

http://www.x3jailbreak.com/

err...what? What the hell?

[DPyro]

X3Jailbreak will sell between $20 - $40 USD apparently.

[mousestrap0731]

X3Jailbreak = Xecuter 3 Jailbreak?

Nah. That was my first thought though.

[DPyro]

Chat on IRC :ninja: (Also posted some info on his twitter)

<Mathieulh> what you want to look for is at the same place the jig auth happens

<Mathieulh> the jig auth is a challenge/response

<Mathieulh> and the code that does the actual auth is very well hidden

<Mathieulh> and also you can't dump it without lv1 privs

<comex_> one thing: how high privileges does the exploit you're thinking of give?

<Mathieulh> let's say it's not quite lv1 privs but it's high enough for you to patch lv2 and load it

<Mathieulh> you can also make use of all the hypercalls

<Mathieulh> and you can talk to syscon and set fancy flags

<Mathieulh> so yeah it's higher than we need it to be

[nub]

god damn comex hacks everything

[+Audioboxer Subscriber²]

While we are all up and excited about PSJailbreak (PSjb), there might be a risk on playing with PSjb on PSN. According to SKFUand RichDevX, the Backup manager game ID (LAUN-12345) could be logged/recorded by Sony when logged into PSN (when online). This would obviously allow Sony to see who would be using the illegal PSjb/clone and we could very well see ban waves similar to the Xbox 360. Sony does currently ban PSN/consoles that results in the 8002A227 error code.

As people start getting their PSjb in the next few week, we highly advise that you do not log into PSN while using the backup manager, which means no playing online.

Stay tuned for the latest development on PS Jailbreak.

http://www.ps3hax.net/2010/08/psjailbreak-detectable-and-bannable-on-psn/

[SkyDX]

Not that I'm pro illegal behavior but I like to speculate about tech stuff^^

Wouldn't it be easy to unban a PS3 as opposed to a 360? From what I got, unless your hacked 360 is JTagged, you have virtually no access to the core system making modifications impossible.

DPyro quoted Mathieulh who said we got pretty high system privileges, so if the privileges are possibly high enough to flash internal stuff, couldn't one simply alter the PS3s MAC address?

Assuming Sony even uses it to ban consoles of course.

[Intersect]

Not that I'm pro illegal behavior but I like to speculate about tech stuff^^

Wouldn't it be easy to unban a PS3 as opposed to a 360? From what I got, unless your hacked 360 is JTagged, you have virtually no access to the core system making modifications impossible.

DPyro quoted Mathieulh who said we got pretty high system privileges, so if the privileges are possibly high enough to flash internal stuff, couldn't one simply alter the PS3s MAC address?

Assuming Sony even uses it to ban consoles of course.

Iam sure Sony were clever enough to keep a record of every ps3's MAC addres's they sell to the public so spoofing it with a fake one

would not allow you to log onto PSN.

[tanjiajun_34]

I modifies Sony Ericsson phone. I can flash it too. I can modify internal system files. A lot people can do that too. But none managed to modify the IMEI.

Maybe same goes to the ps3?

[+Audioboxer Subscriber²]

Not that I'm pro illegal behavior but I like to speculate about tech stuff^^

Wouldn't it be easy to unban a PS3 as opposed to a 360? From what I got, unless your hacked 360 is JTagged, you have virtually no access to the core system making modifications impossible.

DPyro quoted Mathieulh who said we got pretty high system privileges, so if the privileges are possibly high enough to flash internal stuff, couldn't one simply alter the PS3s MAC address?

Assuming Sony even uses it to ban consoles of course.

You can change the 360's as well, but you need an address of an unbanned 360 anyway, meaning you somehow need to acquire another unbanned 360.

It'll be interesting to see if Sony ban PSN accounts, they've already done so for abuse in Home. Yeah yeah accounts are free but get your main banned and you lose all your downloads/trophies.

If they can ban in home I'm pretty sure they can ban for illegally using their stolen dev keys.

[mousestrap0731]

If I recall correctly, PlayStation Plus records the last 5 games played on each console to set for Automatic Download. This is probably how they would check for the Backup Manager's Game ID, even if you don't have PlayStation Plus.

[SkyDX]

I see, so hackers would need to make a modified PS3 appear normal and we all know how well that ended with 360 drive firmwares :rofl:

[AbandonedTrolley]

Was in Asda (UK) the other day and they are selling the old 80GB phats for ?150 not bad really if you fancy an offline machine.

[The Guvnor]

I modifies Sony Ericsson phone. I can flash it too. I can modify internal system files. A lot people can do that too. But none managed to modify the IMEI.

Maybe same goes to the ps3?

What was that all about ? Can i have some of that whatever it is that you are drinking ?

[AbandonedTrolley]

What was that all about ? Can i have some of that whatever it is that you are drinking ?

The fact that people have managed to previously flash Sony products but never been able to hide the actual unique identifier maybe?

[DrunknMunky Veteran]

The authentication procedure itself is done through the use of a per bluray drive key pair, one being located on the drive controller itself while the other is stored encrypted in the playstation 3's EID area located on NAND. This key is also used while updating the drive which firmware's will be physically re-encrypted using that very same key and stored that way. As such you cannot swap a drive controller board from one ps3 to another, at least on earlier "fat" models. I have no idea if the drives are still paired with unique keys on the newer "slim" systems, though I do not know why it would be done another way. This also means that physically dumping the drive's firmware would lead nowhere with it being stored in an encrypted form. The only way to get a plain version of it would be to dump the drive controller's ram at runtime. Beside although I am not entirely sure about this, it is very unlikely that a command exists to read the firmware from the drive, should it exist, the dumped binary would still be encrypted, thus connecting the drive to a computer (the ps3 slim bluray drive uses a regular SATA or PATA bus depending on the model) literally leads nowhere..

Pretty much the exact process in the 360 flashing then. I wouldn't be so sure on it leading nowhere, it seems that the actual cryptographic layer on the software sectors will be harder to crack. Which would explain why Team Jungle announced last week they were joining forces with Team Hades. 360 dvd keys are encrypted too when they're dumped and they managed to decrypt them.

You can change the 360's as well, but you need an address of an unbanned 360 anyway, meaning you somehow need to acquire another unbanned 360.

You don't actually need to have access to another 360, physically. People sell them online.

[SkyDX]

I just thought of something else, maybe I think too much PSP here but:

"Assuming we get all high access privileges, couldn't we simply store a modified firmware on the PS3s HDD with all online functions stripped out? We then could boot this FW for all our homebrew needs and if we want to play online we simply boot back to the original NAND firmware? Unless they scan the actual HDDs I doubt Sony could detect this."

Just a theory out of my mind inspired by the old PSP DevHook days^^

[torrentthief]

$140 for the jailbreak: http://www.gadget-asia.com/world-s-first-ps3-modchip-ps-jailbreak-order-now.html?src=email

crazily expensive!

[Rudy]

If the PS3 gets a CFW I'm buying one right away

[DPyro]

If the PS3 gets a CFW I'm buying one right away

The PS3 would be patched by then. Might want to hold onto one now before all the newer consoles are updated.